CVE-2013-0175 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2013-0175 Interim 1 10 2025-05-18T23:13:52Z current 2021-05-30T13:08:06Z 2025-05-18T23:13:52Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2013-0175 multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZTB6COKJCHLLO7JZY6ESFLTE672O2H4L/ E-Mail link for openSUSE-SU-2025:15122-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE OpenStack Cloud 6 openSUSE Tumbleweed ruby2.1-rubygem-multi_xml-0.5.5-1.1 ruby2.7-rubygem-multi_xml-0.6.0-1.14 ruby3.0-rubygem-multi_xml-0.6.0-1.14 ruby3.2-rubygem-multi_xml-0.6.0-1.23 ruby3.3-rubygem-multi_xml-0.6.0-1.27 ruby3.4-rubygem-multi_xml-0.6.0-1.29 ruby2.1-rubygem-multi_xml-0.5.5-1.1 as a component of SUSE OpenStack Cloud 6 ruby2.7-rubygem-multi_xml-0.6.0-1.14 as a component of openSUSE Tumbleweed ruby3.0-rubygem-multi_xml-0.6.0-1.14 as a component of openSUSE Tumbleweed ruby3.2-rubygem-multi_xml-0.6.0-1.23 as a component of openSUSE Tumbleweed ruby3.3-rubygem-multi_xml-0.6.0-1.27 as a component of openSUSE Tumbleweed ruby3.4-rubygem-multi_xml-0.6.0-1.29 as a component of openSUSE Tumbleweed multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. CVE-2013-0175 SUSE OpenStack Cloud 6:ruby2.1-rubygem-multi_xml-0.5.5-1.1 openSUSE Tumbleweed:ruby2.7-rubygem-multi_xml-0.6.0-1.14 openSUSE Tumbleweed:ruby3.0-rubygem-multi_xml-0.6.0-1.14 openSUSE Tumbleweed:ruby3.2-rubygem-multi_xml-0.6.0-1.23 openSUSE Tumbleweed:ruby3.3-rubygem-multi_xml-0.6.0-1.27 openSUSE Tumbleweed:ruby3.4-rubygem-multi_xml-0.6.0-1.29 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P